Cheapo Air refund scam and virus infection via asupport.care web-site?
September 27, 2022 12:48 PM Subscribe
A friend bought airline tickets through CheapO Air then had to cancel a leg. Assured a refund was possible, but afraid that we've walked into a scam.
Smooth-talking phone voice had friend go to
Smooth-talking voice then instructed to visit airline web site and enter itinerary codes. This didn't work but voice said his supervisor had approved a direct refund if we'd just supply the original credit card number, at which point we balked, had enough, ended the call. Smooth voice had assured this asupport.care business was routine, for verification, true?
Now wondering if computer has been compromised. Already deleted clientSupport.exe, but what did it do? Also wondering about this possible refund, of course. Anybody familiar with any of these circumstances? Computer is Windows 10 Lenova.
Smooth-talking phone voice had friend go to
asupport.careand enter a code, resulting in a
supportClient.exedownloading, which friend then ran. Very brief blue screen appeared, with instruction not to power down, updates in progress. Also some quick cursor action friend could not control.
Smooth-talking voice then instructed to visit airline web site and enter itinerary codes. This didn't work but voice said his supervisor had approved a direct refund if we'd just supply the original credit card number, at which point we balked, had enough, ended the call. Smooth voice had assured this asupport.care business was routine, for verification, true?
Now wondering if computer has been compromised. Already deleted clientSupport.exe, but what did it do? Also wondering about this possible refund, of course. Anybody familiar with any of these circumstances? Computer is Windows 10 Lenova.
Site is privately registered back on May 2002, and only registered for 1 year.
Search for the name "supportclient.exe" shows that this was indeed one of the payload dropped by tech support scammers, as it sounds generic enough. It may have legitimate uses once upon a time. Does it look like the one in this video:
https://www.youtube.com/watch?v=mQVW6SkHVEA
I agree that this is VERY likely from a support scammer.
posted by kschang at 1:07 PM on September 27, 2022
Search for the name "supportclient.exe" shows that this was indeed one of the payload dropped by tech support scammers, as it sounds generic enough. It may have legitimate uses once upon a time. Does it look like the one in this video:
https://www.youtube.com/watch?v=mQVW6SkHVEA
I agree that this is VERY likely from a support scammer.
posted by kschang at 1:07 PM on September 27, 2022
Also, in case it's not clear, it seems unlikely that your friend has actually been speaking to someone from CheapOair - CheapOair is sketchy in the sense that they have pretty bad customer service and will leave you in the lurch if, e.g., your flight is cancelled, but I don't think they're, like, "complete scam to install malware and steal your credit card number" sketchy. Where did your friend get number that led to the smooth-talker? It may still be possible to get a refund via the proper channels (or it may not).
posted by mskyle at 1:34 PM on September 27, 2022 [9 favorites]
posted by mskyle at 1:34 PM on September 27, 2022 [9 favorites]
Yeah, if your friend googled something like "cheapo air customer support" they might've found a scammer site impersonating the company. Google's gotten better at this but it's still a problem.
Smooth voice had assured this asupport.care business was routine, for verification, true?
Any time anyone you don't know personally asks you to download anything over the phone, just hang up and investigate very carefully before proceeding any further.
posted by praemunire at 2:43 PM on September 27, 2022 [1 favorite]
Smooth voice had assured this asupport.care business was routine, for verification, true?
Any time anyone you don't know personally asks you to download anything over the phone, just hang up and investigate very carefully before proceeding any further.
posted by praemunire at 2:43 PM on September 27, 2022 [1 favorite]
Yeah, can you check the number that your friend dialed and verify that it was, in fact, the Cheap-O Air number (646-738-4845)? I'm guessing it wasn't.
posted by geegollygosh at 5:31 PM on September 27, 2022
posted by geegollygosh at 5:31 PM on September 27, 2022
This thread is closed to new comments.
If it finds anything, quarantine those items and reboot. Check Task Manager for anything that looks like ClientSupport or ScreenConnect or Connectwise Control. If any of those are running, right click and End Task on them, and then go in Settings and Apps and uninstall any mention of those three in there.
posted by deezil at 1:04 PM on September 27, 2022 [1 favorite]